Hi Michael, I'm not sure what we are gaining here. You talking about "When the client sends the password hashes you send them to the target server. So the web client doesn't authenticate with the web server it authenticates directly with the target server by proxying the NTLMSSP tokens" Are you talking about transitioning the protocol as well? e.g. Client -- HTTP --> Your Website/PC -- RPC --> Domain Controller Cheers Ken
________________________________ From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Tue 9/01/2007 5:24 PM To: ActiveDir@mail.activedir.org Cc: Ken Schaefer Subject: Re: [ActiveDir] Risks of exposure of machine account passwords On Tue, 9 Jan 2007 14:13:33 +1100 "Ken Schaefer" <[EMAIL PROTECTED]> wrote: > I'm not sure what NTLM SSO Pass-Through is, but NTLM is not natively > delegatable, so you can't (in the normal course of events) use this to create > an account anywhere except on the local machine. There may be easier ways to > create accounts on local machines. Perhaps "proxy" would be a better term. When the web client requests the challenge you request it from the target server (e.g. the DC) and send it back to the client. When the client sends the password hashes you send them to the target server. So the web client doesn't authenticate with the web server it authenticates directly with the target server by proxying the NTLMSSP tokens. This is effectively a man-in-the-middle attack. Digital signatures are used to twart an MITM so if you require SMB signing you can prevent such an attack (although if you can authenticate LDAP with NTLM you might be able to get around that). Actually now that I think about it I think W2K3 requires SMB signing so maybe this permutation wouldn't work. But workstations do not require SMB signing. One could authenticate back to the client and place and create an account or simply place an executable in their Startup. But again, if you're already trusted on the network it's game over. Mike > > On Mon, 8 Jan 2007 15:33:01 -0500 > "joe" <[EMAIL PROTECTED]> wrote: > > > But I can add an improved permutation to your dirty trick. Send out an > email with a link to your site but use NTLM SSO pass-through to create a > bogus account with a predefined password. If someone with domain admin > privs so much as stumbles across your site they will create the said > account and not even know they did it. No credentials necessary and no > SSO account necessary. Just a website with an FQDN. > > There is one simple security setting that will thwart this attack > though. For bonus points, does anyone know what it is? :-> > > Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/